DEV Community

Cover image for How to find and remove viruses on a website in 12 steps: a visual guide from ispmanager 💪
ispmanager.com for Ispmanager

Posted on

How to find and remove viruses on a website in 12 steps: a visual guide from ispmanager 💪

Don’t jump to hiring a pro to clean viruses off your site. If you believe in the power of making backups and are a bit tight-fisted, you can always try to remove the viruses yourself.

If your determination hasn’t wavered, here’s some advice from a colleague with 12 years of experience in site administration, as a carefully compiled guide.

How do you even find out that your site is infected

Or a simple question – do I even need to check it? It's a quick four-step process. It's just like that old riddle about the giraffe and the refrigerator.

A riddle about a giraffe and a refrigerator. How do you get an elephant into a refrigerator? In three steps – open the door, put the elephant in, and close the door. And how do you get the giraffe in the fridge? In 4 steps: open the door, take out the elephant, put the giraffe in, and close the door.

Check your site from a search engine. Type the address of your site into the search engine. If it is grayed out and has received a warning, it means that the search engine has done the work for you and has already found viruses. If no warning pops up, don't clock off just yet. Type the query site:mydomain.com into your browser and check the pages the search engine produces. If there are any pages with irrelevant content that’s a clear sign of infection.

Don't forget to do this when you find pages that don't belong to your siteDon't forget to do this when you find pages that don't belong to your site

View the site from all types of devices. Redirects to external sites also indicate that the site is compromized. An infected site may redirect users to phishing pages only under certain conditions. For example, in a specific browser or only from a mobile device. So you should check the behavior of the site from different browsers, devices, and operating systems.

View the site from real devices or, if you must, from an emulator like BrowserStack. It’s a paid service that will let you view the site in different ways if you don't have a bunch of different devices on hand.

Unlike developer tools in a browser, BrowserStack runs emulation on real devicesUnlike developer tools in a browser, BrowserStack runs emulation on real devices

Check your site with SiteCheck. It’s a free scanner that will scour the site for security anomalies. The scanner doesn't have access to the server side – SiteCheck only checks the source code in the browser. It will find phishing pages, DoS and spam scripts then rid the site of visible junk, even if it looks like the Great Pacific Garbage Patch.

Click-clack and SiteCheck will show you if there is malware on the siteClick-clack and SiteCheck will show you if there is malware on the site

Try ThreatSign to dig deeper. It’s a paid platform that will check for server-side vulnerabilities. ThreatSign can help you find backdoors and clean up heavy viruses that are hard to find in browser code. ThreatSign monitors files and periodically scans the site, but on the downside, it’s a paid service that consumes server resources.

Well, you can't do everything yourself, can you?<br>
Well, you can't do everything yourself, can you?

How to find and remove a virus

If it has become clear that you are not tilting at windmills and there is a real virus on the site, it's time to act.

Go through the HTML and JS scripts. It’s easy to find a malicious script by looking at the site’s source code. Press Ctrl+U in your browser and check out everything that looks suspicious: iframe inserts, spam links, and JS scripts. Delete any needless, alien, or foreign stuff and that’s it. If the code is obfuscated, compare the script on the site with the original file or backup. If there are any differences, we’ll figure out what's what.

When it's been a while since you've gotten into the source codeWhen it's been a while since you've gotten into the source code

Check the dates of file changes. The difference between the code on the site and the last backup file will give you an approximate time window when the virus got in. Of course, if backups are made more often, the timing is more clear.

Now, you can look for the malware in all files that have been modified recently. You can quickly check recent PHP scripts with the command:
find . –name '*.ph*' –mtime -7``

Check the dates of file changes. The difference between the code on the site and the last backup file will give you an approximate time window when the virus got in. Of course, if backups are made more often, the timing is more clear.

Now, you can look for the malware in all files that have been modified recently. You can quickly check recent PHP scripts with the command:
find /upload/ -type f -name '*.ph*'

A command to remove anything not needed:
find /upload/ -name '*.php*' -exec rm '{}' \;

By the way, if there are a bunch of PHP or HTML files in one directory, your spidey sense should be tingling and you need to cut the fat. Quickly check the hosted folders with the command:
find ./ -mindepth 2 -type f -name '*.php' | cut -d/ -f2 | sort | uniq -c | sort –nr

Look for non-standard names in the directory. All unfamiliar files and folders with questionable content can safely be deleted. This works if you are initially familiar with the site directory and generally understand what to do. If not, it's okay – there is always a launch-date backup, right?

When you deleted some random folderWhen you deleted some random folder

Run scripts to search for malware. If the previous methods didn't help, it's time to run some kilometer-long scripts:
find ./ -type f -name "*.php" -exec grep -i -H "wso shell\|Backdoor\|Shell\|base64_decode\|str_rot13\|gzuncompress\|gzinflate\|strrev\|killall\|navigator.userAgent.match\|mysql_safe\|UdpFlood\|40,101,115,110,98,114,105,110\|msg=@gzinflate\|sql2_safe\|NlOThmMjgyODM0NjkyODdiYT\|6POkiojiO7iY3ns1rn8\|var vst = String.fromCharCode\|c999sh\|request12.php\|auth_pass\|shell_exec\|FilesMan\|passthru\|system\|passwd\|mkdir\|chmod\|mkdir\|md5=\|e2aa4e\|file_get_contents\|eval\|stripslashes\|fsockopen\|pfsockopen\|base64_files" {} \;

Or grep without find:
grep -R -i -H -E "wso shell|Backdoor|Shell|base64_decode|str_rot13|gzuncompress|gzinflate|strrev|killall|navigator.userAgent.match|mysql_safe|UdpFlood|40,101,115,110,98,114,105,110|msg=@gzinflate|sql2_safe|NlOThmMjgyODM0NjkyODdiYT|6POkiojiO7iY3ns1rn8|var vst = String.fromCharCode|c999sh|request12.php|auth_pass|shell_exec|FilesMan|passthru|system|passwd|mkdir|chmod|md5=|e2aa4e|file_get_contents|eval|stripslashes|fsockopen|pfsockopen|base64_files" ./

Run PHP malware scanner. A free scanner to scan all PHP files for malicious scripts. PHP malware scanner will find infected files and point out the code fragments you should get rid of. As a bonus, the program will help you standardize your code by checking its compliance with regular expressions and text rules.

Check the database. When the site has been checked back to front, it's time to think of the database. Yes, viruses can get in there and then quickly hop back to your site even after a full cleanup.

To search the database, go to phpmyadmin and cut out all unnecessary fragments by typing in one query:
<script , <? , <?php , <iframe

Check files with Imunify360. Finally, you can turn to paid software to scan all files on the server and thereby calm your frayed nerves. Imunify360 will find most of the malicious software on the site. You could have started with this, but that would have been too easy, right?

The last line of defense: finds any overlooked viruses The last line of defense: finds any overlooked viruses

All the steps compiled into a short guide

  1. Check the site from a search engine. There should be no warnings or unnecessary links.
  2. Check the site for redirects from all types of devices or via the BrowserStack emulator.
  3. Scan the site for viruses with SiteCheck.
  4. Run ThreatSign to check for malware on the server.
  5. Go through the HTML and JS scripts and remove any unnecessary code snippets.
  6. Check the modification dates of files to find infected ones.
  7. Check for shell scripts in the upload, backup, log, mage, and tmp directories.
  8. Remove all suspicious folders and files from the directories.
  9. Use shell scripts to check the site for viruses.
  10. Check if everything is ok with PHP files using the PHP malware scanner.
  11. Don't forget to check the database.
  12. Finish off with the Imunify360 scanner.

Bonus: try ispmanager to save yourself time and effort. With our control panel, it's much easier to view directories on the server, and view databases or code in your site’s files. ispmanager also comes with various security tools: firewalls, antivirus, virus protection for mail, and DDoS protection for your site.
Try it for free

Top comments (0)